More on Exception Handlershttp://blogs.msdn.com/b/david_leblanc/archive/2007/05/10/more-on-exception-handlers.aspxSitting here at "Blue Hat" watching David Maynor present – pretty cool working for a company that can host its own security conference just to educate employees…
A comment just came in that was a good question, and deserves a detailed answer –
Arkonen-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)Resilience is NOT necessarily a good thinghttp://blogs.msdn.com/b/david_leblanc/archive/2007/05/10/more-on-exception-handlers.aspx#8447193Thu, 01 May 2008 19:14:14 GMT91d46819-8472-40ad-a661-2c78acb4018c:8447193Larry Osterman's WebLog<p>I just ran into this post by Eric Brechner who is the director of Microsoft's Engineering Excellence</p>
<img src="http://blogs.msdn.com/aggbug.aspx?PostID=8447193" width="1" height="1">re: More on Exception Handlershttp://blogs.msdn.com/b/david_leblanc/archive/2007/05/10/more-on-exception-handlers.aspx#4095145Sat, 28 Jul 2007 09:59:04 GMT91d46819-8472-40ad-a661-2c78acb4018c:4095145Skywing<P>Certainly true wrt. doing things in-process - in fact, I would argue that trying to do much of anything within an unhandled exception filter type situation is extremely risky, even if you can magically ignore any security issues - anything done in the process is very likely to run afoul of the problem that caused the unhandled exception in the first place.</P>
<P>You can do a bit better with the crash dump stuff than creating a debugger after the fact like JIT debugging goes though - the route I typically go is to create a small watchdog process during startup, when everything's clean, and set up some sort of shared section view + event handle, such that an unhandled exception event results in the shared section being updated with a pointer to the exception pointers, the event is set, and the crashed thread goes to sleep. &nbsp;The watchdog process wakes from the event and performs the crash writing.</P>
<P>This insulates you much better than CreateProcess - among other things, you won't hit the heap, and you can be clever and do things like reprotect data (e.g. pointer to shared section referred to by the exception filter) used by the exception handler to readonly to make it more unlikely that someone will stomp on it.</P>
<P>Of course, unhandled exception filters have their own issues unless one does some underhanded tricks to deliberately subvert the UEF registration system to work around designed in deficiencies in the API ( see <A href="http://uninformed.org/index.cgi?v=4&amp;a=5" target=_new rel=nofollow>http://uninformed.org/index.cgi?v=4&amp;a=5</A> ).</P><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=4095145" width="1" height="1">